From 315bfb3cfd52ff169a03422cde1dfa2869c6b1c9 Mon Sep 17 00:00:00 2001
From: "bootc-bot[bot]" <225049296+bootc-bot[bot]@users.noreply.github.com>
Date: Fri, 16 Jan 2026 21:18:19 +0800
Subject: [PATCH] Sync common files from infra repository (#1920)

Synchronized from bootc-dev/infra@e6bcd3444045825b890b2203bed18ea9c1a4df89.

Signed-off-by: bootc-dev Bot <bot@bootc.dev>
Co-authored-by: bootc-dev Bot <bot@bootc.dev>
---
 .bootc-dev-infra-commit.txt                  |  2 +-
 .github/workflows/openssf-scorecard-gate.yml | 28 +++++++++++
 .github/workflows/openssf-scorecard.yml      | 50 --------------------
 3 files changed, 29 insertions(+), 51 deletions(-)
 create mode 100644 .github/workflows/openssf-scorecard-gate.yml
 delete mode 100644 .github/workflows/openssf-scorecard.yml

diff --git a/.bootc-dev-infra-commit.txt b/.bootc-dev-infra-commit.txt
index 1da92438..c69167a9 100644
--- a/.bootc-dev-infra-commit.txt
+++ b/.bootc-dev-infra-commit.txt
@@ -1 +1 @@
-d5a5a62c9810a416e4cc98f377c05343393f7c14
+e6bcd3444045825b890b2203bed18ea9c1a4df89
diff --git a/.github/workflows/openssf-scorecard-gate.yml b/.github/workflows/openssf-scorecard-gate.yml
new file mode 100644
index 00000000..830564a2
--- /dev/null
+++ b/.github/workflows/openssf-scorecard-gate.yml
@@ -0,0 +1,28 @@
+# Gate PRs on OpenSSF Scorecard regressions.
+#
+# See also: https://github.com/ossf/scorecard/issues/1270
+name: OpenSSF Scorecard
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  scorecard:
+    name: Scorecard
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Check for regressions
+        uses: bootc-dev/actions/openssf-scorecard@main
+        with:
+          base-sha: ${{ github.event.pull_request.base.sha }}
+          head-sha: ${{ github.event.pull_request.head.sha }}
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
deleted file mode 100644
index 314a0fa7..00000000
--- a/.github/workflows/openssf-scorecard.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-# Upstream https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml
-# Tweaked to not pin actions by SHA digest as I think that's overkill noisy security theater.
-name: OpenSSF Scorecard analysis
-on:
-  push:
-    branches:
-      - main
-
-permissions: read-all
-
-jobs:
-  analysis:
-    name: Scorecard analysis
-    runs-on: ubuntu-24.04
-    permissions:
-      # Needed for Code scanning upload
-      security-events: write
-      # Needed for GitHub OIDC token if publish_results is true
-      id-token: write
-
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@v2.4.3
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          # Scorecard team runs a weekly scan of public GitHub repos,
-          # see https://github.com/ossf/scorecard#public-data.
-          # Setting `publish_results: true` helps us scale by leveraging your workflow to
-          # extract the results instead of relying on our own infrastructure to run scans.
-          # And it's free for you!
-          publish_results: true
-
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@v6
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v4
-        with:
-          sarif_file: results.sarif
-